iOS 26 Passkeys: Passkey Enhancements Analysis (WWDC25)

1. Introduction: iOS 26 Passkeys#

The release of iOS 26 moves Apple's passkey strategy from foundational to mature, delivering enhancements to address developer friction and user lock-in. The key improvements focus on credential portability, frictionless onboarding and complete lifecycle management.

Table 1: Summary of Key Passkey Enhancements in iOS 26

These enhancements arrive on top of an already-strong iOS passkey baseline. The Corbado Passkey Benchmark 2026 Conditional Create rate analysis classifies iOS web ecosystem readiness as Very strong with a +42–62% add-on contribution to passkey enrollment in Q1 2026 — the highest of any platform, driven by Apple's tight integration of Safari, the platform authenticator and iCloud Keychain. The Corbado Passkey Benchmark 2026 web passkey readiness analysis reports iOS web readiness at 99% at end of 2025, though the iOS 26.2 WKWebView isUVPAA() regression starts drawing third-party-browser readiness down in Q1 2026 before recovery — exactly the kind of edge case that iOS 26's Signal API and automatic-upgrade primitives help applications navigate.

2. Secure Passkey Import and Export#

iOS 26 introduces secure credential portability, allowing users to move passkeys between iCloud Keychain and third-party managers like 1Password. Using FIDO Alliance-aligned schemas and data formats (drawing on the FIDO Credential Exchange work), the transfer is user-initiated, requires biometrics and occurs directly app-to-app as a same-device flow, avoiding insecure intermediate files.

For developers of credential managers, Apple introduced ASCredentialExportManager and ASCredentialImportManager. This portability comes with trade-offs in attestation: Apple's consumer synced passkeys generally omit platform attestation statements to protect user privacy, though enterprise attestation features remain available for managed device scenarios. For passkeys synced via iCloud Keychain, Apple's implementation sends a zeroed-out AAGUID, a strategic choice that prioritizes ecosystem openness and user privacy over hardware verification for most consumer use cases.

Passkey Creation in iOS 26

3. Passkey Account Creation API#

The new Passkey Account Creation API enables a passwordless-by-default onboarding experience. Developers can invoke a native system UI that handles account creation and passkey provisioning in a single, frictionless step.

For more details about the implementation and impact, please refer to our dedicated blog post about the Passkey Account Creation API.

Passkey Overlay in iOS 26 Apps

Passkey Login in iOS 26

4. Enhancements for the Full Passkey Lifecycle#

iOS 26 introduces critical enhancements for managing passkeys throughout their lifecycle.

• Passkey Management Endpoints: By hosting a simple JSON file at /.well-known/passkey-endpoints, services can declare their passkey enrollment and management URLs, allowing credential managers to link users directly to the correct pages.
• WebAuthn Signal API: Support for the W3C's WebAuthn Signal API allows a service to proactively "signal" changes to the user's device (e.g., username changes), ensuring the passkey stored locally remains accurate. This is available to native apps via the ASCredentialUpdater class and to websites via a corresponding JavaScript API in the browser.

iOS 26 Passkey Settings

5. Conclusion#

The passkey enhancements in iOS 26 represent a comprehensive approach to advancing digital security and user convenience. These enhancements focus on four key areas: secure credential portability, seamless account creation, effective passkey lifecycle management, and synchronization of passkey metadata. Together, these improvements aim to reduce friction, enhance user privacy, and promote widespread adoption of passkeys as a secure alternative to traditional authentication methods. By addressing both user and developer needs, iOS 26 sets a new standard for digital identity management.

Frequently Asked Questions#

How do iOS 26's ASCredentialExportManager and ASCredentialImportManager work for third-party credential managers?#

iOS 26 introduces ASCredentialExportManager and ASCredentialImportManager as the developer APIs for credential portability. The transfer uses FIDO CXP-aligned schemas and flows directly app-to-app on the same device. Third-party managers such as 1Password can participate as both import and export destinations in this user-initiated flow.

How does the iOS 26 Passkey Account Creation API eliminate the need for traditional registration forms?#

The ASAuthorizationAccountCreationProvider API presents a native system UI that handles account creation and passkey provisioning simultaneously in a single step. This removes the need for developers to build custom onboarding screens and makes a passwordless-by-default registration experience achievable with one API call.

How do I keep passkey metadata synchronized when a user changes their username or account details on iOS 26?#

The WebAuthn Signal API, accessed via the ASCredentialUpdater class in native iOS apps and a corresponding JavaScript API in browsers, lets a service proactively push metadata changes such as username updates to the user's device. This keeps locally stored passkey records accurate without requiring users to re-enroll.

Why does Apple omit platform attestation for consumer iCloud Keychain passkeys in iOS 26?#

Apple deliberately omits platform attestation statements for consumer synced passkeys, sending a zeroed-out AAGUID instead. This trade-off prioritizes ecosystem openness and user privacy over hardware-level verification for most consumer scenarios. Enterprise attestation features remain fully available for managed device deployments where hardware verification is required.